Check Last Password Change in Active Directory with A User Report
Every admin wants a secure Active Directory especially if their organization is in talks regarding what is Active Directory migration. One way to ensure this is to check last password change in Active Directory periodically. As passwords form the first line of defense against an intrusion, the admin must have a report on AD user password history. However, admins may find the traditional script-based methods problematic. So they end up delaying this crucial task, which puts their AD in a vulnerable state.
Moreover, nowadays, password history viewing is not only a security check but a compliance requirement as well. Therefore, it’s even more important to have a list ready. Fret not, as we are here to help all admins with an easy-to-understand tutorial. Let us begin with the introduction to a manual auditing method that admins have at their disposal even without realizing it. And no, it is not ADUC.
Table of Content
How to Check Last Password Change Date in Active Directory with GPME
Most organizations allow password updates at the user level. Moreover, admins can also make changes to user credentials on top of locating users in an AD. Both situations have a different event ID associated with them, viewable in the Group Policy Management Console. As this is an extra service, it may be absent from your AD installation. So admins first need to add it, otherwise, jump directly to stage 2.
Stage 1: Install GPME
- Use the Windows Search Bar to search for Server Manager and open it.
- Look for the roles and features option in the center section of Server Manager.
- Use the on-screen instructions till you are on the Features menu.
- Toggle the advanced features and choose gpme. Use the on-screen installation wizard for the next series of steps.
- Once it installs, go to the next stage.
Stage 2: Use the Group Policy Management Editor
Step 1. Setup Password Change Auditing
- Launch “GPME.msc”.
- Select Policy Object.
- Toggle Computer Configuration
- Choose Policies > Windows Settings > Security Settings > Local Policies > Audit Policy.
- Under Audit account management, right-click and choose Properties from the Context Menu.
- In the dialog box that opens, Toggle Define these policy settings and mark Success and Failure. Click on Apply then OK
Step 2. Configure the Event Viewer to reflect the changes made to passwords.
Follow Step 1 till Security Settings.
- Select Event Log:
- Keep security log’s maximum size below 1 Gigabyte (1000000 kilobytes)
- Click on Apply, then OK.
Step 3. Check the security logs inside Event Viewer:
- Event ID 4724 means that it was the admin who reset the password.
- Event ID 4723 signifies a user attempt at password change.
If you feel navigating the GPMC portal is too cumbersome, don’t worry. For a more technical cursor-free code-based method, check out the following section.
Use Commands and Queries to List the Credential Update Date in the AD
PowerShell Script
This is probably the most sought-after method by technically savvy IT Admins. However, before you begin, ensure that your workstation is part of the AD environment. Once the checks are done, do the following.
Step 1. Press Windows Key + R on your keyboard.
Step 2. Type “PowerShell”.
Step 3. Use Import-Module ActiveDirectory first.
Step 4. Then run the following cmdlet and check last password change in Active Directory:
Get-ADUser -Filter * -Properties pwdLastSet | Select-Object Name, @{Name="LastPasswordSet";Expression={[DateTime]::FromFileTime($_.pwdLastSet)}} | Sort-Object Name | Format-Table
CMD Interface:
PowerShell is not the only way for admins to detect password updates in an AD. They can use the command line as well. Like the PowerShell method before admins need to fulfill a basic set of prerequisites here as well. This includes the workstation to be connected to the AD.
Step 1. Start by pushing Windows + R simultaneously.
Step 2. This time, type “cmd” in the space in front of Open:
Step 3. After that, you can use any one of the command line queries given below:
Query 1: To Get the Password change date in human-readable format.
> net user %username% | findstr “Password last set”
Query 2: To get the password set date of all users.
> dsquery * -filter "(objectClass=user)" -limit 0 -attr displayName pwdLastSet
Note: Directly pasting these commands is not recommended. Check your organization’s security policy and make changes to these commands before using them. Moreover, if you are unable to get the desired result then check out the limitations discussed ahead.
Problems with Scripts to Check Password Change History in AD
- PowerShell is highly technical. Therefore, deploying any unknown external scripts may have unintended consequences that admins did not plan for. Although these can be limited by changing the scripts, admins may lack the technical know-how. Another issue is that more time is spent correcting the script than using it. So for the small task of password change date retrieval, this seems unnecessary.
- Moreover, even the relatively simple cmd queries have quite a few drawbacks. The major one being that admins have to compromise with either the password change date of a single user or deal with a format that is not human-readable.
- Apart from this admins may skip the commands as their results can’t be directly exported into a shareable format like CSV. A clumsy workaround is sending a screenshot of the command line. But let’s be real such a practice is not acceptable in a professional setting.
- Not to mention that neither PowerShell nor CMD admins have any idea what their output is going to look like. So the only way to risk running the code on a live AD environment. However, there is one simple way to do away with the script-based methods. Let us see what it is.
Script Free Way to Check Last Password Change in Active Directory for All Users
In any Windows Active Directory, the best method to list the date of a user password change is the SysTools AD Reporting Software. With its simple yet intuitive way, any admin, no matter if they have a technical background or not, can find the historical credential updates.
Moreover, tracking AD password changes may be a small task, but no admin can deny its significance in securing an Active Directory. Therefore, to get accurate, readable results, go through the procedure of using the tool.
Automated Instructions to Check Last Time Password Change in Active Directory
Step 1. Launch the software on your machine and put the word “administrator” in place of Username and Password.
Step 2. Once the tool is ready press the “REGISTER DOMAIN CONTROLLER” option. If you have a previous domain registered and want to add a new domain click on the building-like icon below the cross on the top-right part of your screen.
Step 3. Fill in the required details in the prompt box i.e. Domain Friendly Name and IP Address for the domain. Then hit Save & Continue.
Step 4. In the Domain Details screen enter the Admin User ID and Admin Password after that press the Save & Continue button below.
Step 5. After validation, change the screen to the Report tab. To check the last password change in Active Directory, select the Password Changed option under the Users category.
Step 6. You can also set an optional duration for the report. Either choose the premade time frame or make a custom date filter.
Step 7. Click on the Preview button to get an idea of what your report contains.
Step 8. Press Download and pick CSV from the Dropdown.
Step 9. Choose a location to save the report.
Step 10. View it on any external visualization software.
Conclusion
In this tutorial, we helped admins check last password change in Active Directory for all users. We found how this domain-wide credential history tracking forms a core component of security management in an AD. Moreover, we discussed multiple methods to see when the password update took place. Out of these, only the professional method helps in formulating a shareable CSV-style report. So it is in the best interest of admins to use the most optimal method.